Stuxnet was never meant to propagate in the wild.

In 2011, the US government rolled out its "International Strategy for Cyberspace," which reminded us that "interconnected networks link nations more closely, so an attack on one nation’s networks may have impact far beyond its borders." An in-depth report today from the New York Times confirms the truth of that statement as it finally lays bare the history and development of the Stuxnet virus—and how it accidentally escaped from the Iranian nuclear facility that was its target.

The article is adapted from journalist David Sanger's forthcoming book, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power, and it confirms that both the US and Israeli governments developed and deployed Stuxnet. The goal of the worm was to break Iranian nuclear centrifuge equipment by issuing specific commands to the industrial control hardware responsible for their spin rate. By doing so, both governments hoped to set back the Iranian research program—and the US hoped to keep Israel from launching a pre-emptive military attack.

The code was only supposed to work within Iran's Natanz refining facility, which was air-gapped from outside networks and thus difficult to penetrate. But computers and memory cards could be carried between the public Internet and the private Natanz network, and a preliminary bit of "beacon" code was used to map out all the network connections within the plant and report them back to the NSA.

That program, first authorized by George W. Bush, worked well enough to provide a digital map of Natanz and its industrial control hardware. Soon, US national labs were testing different bits of the plan to sabotage Natanz (apparently without knowing what the work was for) using similar centrifuges that had come from Libya's Qadaffi regime. When the coders found the right sets of commands to literally shake the centrifuges apart, they knew that Stuxnet could work.

When ready, Stuxnet was introduced to Natanz, perhaps by a double agent.

Getting the worm into Natanz, however, was no easy trick. The United States and Israel would have to rely on engineers, maintenance workers and others—both spies and unwitting accomplices—with physical access to the plant. “That was our holy grail,” one of the architects of the plan said. “It turns out there is always an idiot around who doesn’t think much about the thumb drive in their hand.”

In fact, thumb drives turned out to be critical in spreading the first variants of the computer worm; later, more sophisticated methods were developed to deliver the malicious code.

When Barack Obama came to office, he continued the program—called "Olympic Games"—which unpredictably disabled bits of the Natanz plant even as it told controllers that everything was normal. But in 2010, Stuxnet escaped Natanz, probably on someone's laptop; once connected to the outside Internet, it did what it was designed not to do: spread in public. The blame game began about who had slipped up in the coding.

“We think there was a modification done by the Israelis,” one of the briefers told the president, “and we don’t know if we were part of that activity.”

Mr. Obama, according to officials in the room, asked a series of questions, fearful that the code could do damage outside the plant. The answers came back in hedged terms. Mr. Biden fumed. “It’s got to be the Israelis,” he said. “They went too far.”

Once released more widely, the Stuxnet code was found and then disassembled by security researchers.

Please don't follow our example

As the International Strategy for Cyberspace notes, these sorts of electronic attacks are serious business. The US in fact reserves the right to use even military force to respond to similar attacks. "All states possess an inherent right to self-defense, and we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners," says the report. "We reserve the right to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law."

Yet the US had just gone on the cyber-attack, and everyone knew it. Speculation has long swirled around government-backed hackers from nations like China and Russia, especially, who have been suspected of involvement in espionage, industrial trade secret theft, and much else. Would something like Stuxnet damage US credibility when it complained about such attacks? (China has long adopted the "you do it too!" defense on Internet issues, especially when it comes to censoring and filtering of Internet content.)

Obama was at least aware of the likely answer—yes—but pressed ahead, even accelerating the Olympic Games program.

[Obama] repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons—even under the most careful and limited circumstances—could enable other countries, terrorists or hackers to justify their own attacks. “We discussed the irony, more than once,” one of his aides said.

Stuxnet is old news by now. Even the newly discovered "Flame" malware was developed some time ago. While details about these two targeted attack packages are finally emerging, the next generation of attack tools has no doubt been developed and likely deployed.

I'd argue that this was the opposite of an "act of war," as it was designed to prevent one. The fact that the majority of the world invokes sanctions against Iran and their nuclear ambitions (the 'Holocaust didn't happen' doesn't bode well) makes it slightly different than a foe-on-foe strategic struggle. Even if it were to be considered an "act of war," I can pretty much guarantee several major world powers have committed multiple "acts of war" against the U.S. I may be persuaded to consider it an act of war between Israel and Iran, but when the latter has terrorists acting in a paramilitary role, I'd say they have already been at a state of war for quite some time.

I'd argue that this was the opposite of an "act of war," as it was designed to prevent one.

Whatever it was designed to do, what it did was damage and/or destroy material of a sovereign nation. What if a similar such plant was taken out by similar means on US soil? The public outcry would be one of blood.

I'd argue that this was the opposite of an "act of war," as it was designed to prevent one.

Whatever it was designed to do, what it did was damage and/or destroy material of a sovereign nation. What if a similar such plant was taken out by similar means on US soil? The public outcry would be one of blood.

US of A would instantly go to war if Iran wrote something similar and got it into US nuclear facilities.

This article doesn't explain how much involvement America actually had in wrtting the malware and/or getting it to the target locations. I am torn on how I feel about this "news" although I have my doubts on the reason anyone would actually confirm this actually happened.

I would be alright if America simply did the research required that made this malware possible. If Israel was the one who coded and distrubuted the Stuxnet to the locations I am alright with it. If America had any part in actually getting Stuxnet to the locations, it makes look silly, after we complain having the samething done to us.

No real surprise here, including the bit with the US engineers saying "We didn't stuff up, must've been the Israelis".

Yes, it's an act of war. Yes, the US is likely the most vulnerable country on Earth to a similar kind of attack on its water supplies, electricity, basic infrastructure that's owned by private companies who're "managing risk" (and leaving network-connected infrastructure unprotected, as has recently been pointed out on Ars) while making their profits.

Will there be a counter-attack? Who knows, but nobody can say now that their hands were clean when they're telling other nations to stop the cyber-espionage.

A bit of long-term thinking may have prevented this kind of idiocy, but then again if this administration doesn't do it the next one will.

In the meantime, will the International Olympic Committee be suing the US government for breach of IOC naming rights? Or did the US buy those rights before setting up this program?

EDIT: I make it sound like the USA is the supreme douchebag here. That's certainly not my opinion though.

You missed step 4:*Iran pours huge amounts of funding into every anti-US terrorist group it can find.*

I am not an Iran expert. But I think they will do that anyway. They need to breed fear among the population to keep them all facing the same way. Otherwise the current regime won't manage to stay on top.

I'd argue that this was the opposite of an "act of war," as it was designed to prevent one. The fact that the majority of the world invokes sanctions against Iran and their nuclear ambitions (the 'Holocaust didn't happen' doesn't bode well) makes it slightly different than a foe-on-foe strategic struggle. Even if it were to be considered an "act of war," I can pretty much guarantee several major world powers have committed multiple "acts of war" against the U.S. I may be persuaded to consider it an act of war between Israel and Iran, but when the latter has terrorists acting in a paramilitary role, I'd say they have already been at a state of war for quite some time.

The US Defence Secretary already said that cyber attacks against infrastructure like power grids would be considered an act of war by the US. Taking out a nations nuclear plants wouldseem to land in the same category

Hardly a wonder why America is hated so much isn't it.The only country to use the Atom bomb on civiliansTells other countries not to get an Atom bomb.The only country carrying out a state sponsored act of war.Tells other countries not to do the same.

Drops bombs on peoples countries for false regime change purely because they wanted to sell Oil in Euro's instead of dollars.

This is not an attack on the people of America, just as saying North Korea is an awful regime isn't an attack on the North Korean people.

Both have been totally and utterly brainwashed by their relative governments, and are fed (and believe) the propaganda they are doing these acts to protect them.

You still have the right to bear arms Americans.You know why that is.You might want to use that right before every last vestige of your Constitution is turned to dust.

so far your proof is "this journalist said that these un-named officials said..."

and that's good enough proof for everyone apparantly. no one even stopping to question that it might not be true. that journalist also happens to be selling a related book, if these are lies he would profit greatly from them.

i'm not saying it isn't true. it very well might be. all i'm saying is we haven't seen valid proof in this article. so far it's just a likely theory. and there's a big difference between truth and likely theory.

No surprise here. I mean, nuclear scientists in Iran are being assassinated in broad daylight. It seems someone is really already conducting a low level war. I just wonder when the Iranians are going to run out of patience? (Maybe when they get their bomb finished?)

1. If these tactics are used by a state agency, or in any way sponsored or condoned by a state, against a non-enemy state, would they be considered acts of war? I should think so, since crippling essential infrastructure is a serious act of aggression. And what if there's no proof that the authors of the attack are state-sanctioned? Will they be considered enemy combatants and warrant military action?

2. In principle states are immune from legal prosecution by foreigners (although there are exceptions). Could states be liable for damages/loss of lives/whatever other consequences of these digital attacks?

3. I hope this example serves to improve security in essential facilities, e.g. by locking down all access to any critical system or any system in any way connected to it. Sure, there could always be high-level undercover operatives, but at least it would be more difficult to deploy worms inside a critical network.

4. What about industrial sabotage/espionage, regardless of critical infrastructures? I could see US or Chinese companies attacking their competitors in this way, if it's not been done already.

EDIT: I make it sound like the USA is the supreme douchebag here. That's certainly not my opinion though.

You missed step 4:*Iran pours huge amounts of funding into every anti-US terrorist group it can find.*

I am not an Iran expert. But I think they will do that anyway. They need to breed fear among the population to keep them all facing the same way. Otherwise the current regime won't manage to stay on top.

I thought someone might pick up on that and likewise, I'm no expert. What I meant was that if they weren't funding them before, they're more likely to be now. If they were funding them before, they're more likely to fund them even more now.

EDIT: I make it sound like the USA is the supreme douchebag here. That's certainly not my opinion though.

You missed step 4:*Iran pours huge amounts of funding into every anti-US terrorist group it can find.*

I am not an Iran expert. But I think they will do that anyway. They need to breed fear among the population to keep them all facing the same way. Otherwise the current regime won't manage to stay on top.

From a outsider perspective the same seem to apply for US domestic politics.

I think that it is time to give some governments a time out and require them to spend 15 minutes in the corner without their electronic toys.

Clearly "they" have not learned yet what it means to play nice. When someone turns around in the near future and breaks America's toys, all I will be able to think and say, is "haha."

Seriously folks. It's high time that Americans take back their government from the nutbars on the left and right that are not interested in the american people, unless it's election time. Claim back your country, your privacy rights and hobble your government a little bit more.

EDIT: I make it sound like the USA is the supreme douchebag here. That's certainly not my opinion though.

You missed step 4:*Iran pours huge amounts of funding into every anti-US terrorist group it can find.*

I am not an Iran expert. But I think they will do that anyway. They need to breed fear among the population to keep them all facing the same way. Otherwise the current regime won't manage to stay on top.

I thought someone might pick up on that and likewise, I'm no expert. What I meant was that if they weren't funding them before, they're more likely to be now. If they were funding them before, they're more likely to fund them even more now.

They were funding them before, so they will merely continue to. Hezbollah is pretty much paid for by the Iranians. And before this Stuxnet virus was developed the Iranians were already sending money and material to destabalize Iraq and Afghanistan. Basically it's been a low level hot war for more than a decade. To those worried "but what if it makes a real war break out!" don't worry, there is already one underway, this was just the next evolution.

It's more an act of espionage or covert sabotage than an act of war. Having said that, pretty much anything can be claimed as an act of war. Jenkin's ear, etc.

During the cold war, US, UK and Russian spies were constantly giving each other misinformation and using double agents to sabotage nuclear experiments.

The scale of the event matters. Causing some centrifuges to go offline is not a good cassus belli. Causing them to fail in a critical/explosive manner would be a clear act of war.

If Iran caused some USA nuclear testing experiment to fail, then the USA wouldn't go to war over it. They'd probably just deny that the event ever occurred (and divert a load of money into retaliatory black ops like stuxnet).I suspect stuxnet has caused Iran to fund a lot more anti-American cyber-ops than they would have otherwise done.

This is god damned terrifying. Are there no limits these days? Another country could easily see that as an act of war for fucks sake.

Just what most stupid ass Politicians want anyways.War is Good to these guys.Rep or Dem will think War Is Peace and War is Profit .Human Lives well doubt they truly care about us.And yes stuff like this is an Act of WAr.

It's more an act of espionage or covert sabotage than an act of war. Having said that, pretty much anything can be claimed as an act of war. Jenkin's ear, etc.

During the cold war, US, UK and Russian spies were constantly giving each other misinformation and using double agents to sabotage nuclear experiments.

The scale of the event matters. Causing some centrifuges to go offline is not a good cassus belli. Causing them to fail in a critical/explosive manner would be a clear act of war..

Exactly. The US and the USSR used to do all kinds of mean, underhanded things to each other, and did so for nigh on 40 years. Things which at times, actually devolved to people shooting real bullets and missiles at each other. Actual war is srs bzns, and you don't cross that line unless you have a real point to prove and are willing to risk pretty much everything you put on the line to prove it. Iran's not going to war over some busted centrifuges, any more than the US is going to go to war with China over their continued and pervasive cyber-espionage efforts against the US.

CONFIRMED? lol. There's no confirmation here. It does seem likely and possible, but it's not confirmed.

Actually it's an article about a book by a journalist which hasn't been released yet. Whether there is proof or not remains to be seen.

I bet the book will quite cleverly make many claims which cannot be proven or disproven, the author laughing his way to the bank.

Nothing has been "confirmed" here and it is irresponsible reporting to say confirmed without providing real confirmation. Just as it is irreponsible news reading to believe everything without proper proof, which this article lacks.

I am not an Iran expert. But I think they will do that anyway. They need to breed fear among the population to keep them all facing the same way. Otherwise the current regime won't manage to stay on top.

From a outsider perspective the same seem to apply for US domestic politics.

Sort of. I think however politicians here in the US, in the form of 'Democrats' and 'Republicans', tend to find issues which divide public opinion along 50/50 lines so that we're constantly squared off at each other over one issue or another. While our attention is elsewhere they run amok with foreign/fiscal/national policy, push agendas for whatever lobbyist has the biggest bag of cash regardless of the public's best interest, and generally fuck everything up.

In 2006 the security council of the UN demanded that Iran stop its uranium enrichment program. This is resolution 1696. The security council contains the most prominent nations of the world, including the US, UK, France, China, Russia, etc.

According to this story as published in the book, Iran wasn't stopping, so the US worked on a nonviolent solution. The alternative was to accept future rogue nukes in the Middle East, not a fun prospect.

It's more an act of espionage or covert sabotage than an act of war. Having said that, pretty much anything can be claimed as an act of war. Jenkin's ear, etc.

During the cold war, US, UK and Russian spies were constantly giving each other misinformation and using double agents to sabotage nuclear experiments.

The scale of the event matters. Causing some centrifuges to go offline is not a good cassus belli. Causing them to fail in a critical/explosive manner would be a clear act of war.

If Iran caused some USA nuclear testing experiment to fail, then the USA wouldn't go to war over it. They'd probably just deny that the event ever occurred (and divert a load of money into retaliatory black ops like stuxnet).I suspect stuxnet has caused Iran to fund a lot more anti-American cyber-ops than they would have otherwise done.

Wait ... did my understanding is wrong or am I just plain stupid?And act of sabotaging vital facility of other country isn't categorized as and act of war? So, basically, if other country, i.e. Iran or North Korean, is sabotage the US's public facility, should US not be offended? Heck, the espionage it self is act of war. You even state it yourself. A cold war is still a war. A war in different field. So, I'd like to know. The US is strike them first. Does Iranian has the right to retaliate?